Support mTLS clusters for e2e testing #11092
Conversation
| @@ -45,7 +45,7 @@ resource "aws_security_group" "primary" { | |||
| # Consul | |||
| ingress { | |||
| from_port = 8500 | |||
There was a problem hiding this comment.
Can this be changed also to 8501?
There was a problem hiding this comment.
Unlike Nomad, Consul uses separate ports for HTTP vs HTTPs, and convention is to use 8500 for plaintext and 8501 for TLS. As TLS is optional, I exposed both ports. Will add a comment.
e2e/terraform/tls_ca.tf
Outdated
| resource "tls_private_key" "ca" { | ||
| algorithm = "ECDSA" | ||
| ecdsa_curve = "P384" | ||
| } | ||
|
|
||
| resource "tls_self_signed_cert" "ca" { | ||
| key_algorithm = "ECDSA" | ||
| private_key_pem = tls_private_key.ca.private_key_pem | ||
|
|
||
| subject { | ||
| common_name = "${local.random_name} Nomad E2E Cluster" | ||
| organization = local.random_name | ||
| } | ||
|
|
||
| validity_period_hours = 720 | ||
|
|
||
| is_ca_certificate = true | ||
| allowed_uses = ["cert_signing"] | ||
| } | ||
|
|
||
| resource "local_file" "ca_key" { | ||
| filename = "keys/tls_ca.key" | ||
| content = tls_private_key.ca.private_key_pem | ||
| } | ||
|
|
||
| resource "local_file" "ca_cert" { | ||
| filename = "keys/tls_ca.crt" | ||
| content = tls_self_signed_cert.ca.cert_pem | ||
| } | ||
|
|
||
| resource "tls_private_key" "api_client" { | ||
| algorithm = "ECDSA" | ||
| ecdsa_curve = "P384" | ||
| } | ||
|
|
||
| resource "tls_cert_request" "api_client" { | ||
| key_algorithm = "ECDSA" | ||
| private_key_pem = tls_private_key.api_client.private_key_pem | ||
|
|
||
| subject { | ||
| common_name = "${local.random_name} api client" | ||
| } | ||
| } | ||
|
|
||
| resource "tls_locally_signed_cert" "api_client" { | ||
| cert_request_pem = tls_cert_request.api_client.cert_request_pem | ||
| ca_key_algorithm = tls_private_key.ca.algorithm | ||
| ca_private_key_pem = tls_private_key.ca.private_key_pem | ||
| ca_cert_pem = tls_self_signed_cert.ca.cert_pem | ||
|
|
||
|
|
There was a problem hiding this comment.
Could we run terraform fmt on this file?
There was a problem hiding this comment.
Good catch. - I expected make hclfmt to format all terraform files as well. I will format the files here, then format the rest of files in a follow up PR.
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| set -o errexit | |||
| set -o nounset | |||
| set +x | |||
| set -x | |||
There was a problem hiding this comment.
Accidental change while debugging - will change back.
and minor tweaks
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This allows us to spin up e2e clusters with mTLS configured for all HashiCorp services, i.e. Nomad, Consul, and Vault. Used it for testing #11089 .
mTLS is disabled by default. I have not updated Windows provisioning scripts yet - Windows also lacks ACL support from before. I intend to follow up for them in another round.